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Note from the Editor: I am always looking for contributions. If you have any suggestion con- 
cerning the content of the Logic Column, or even better, if you would like to contribute by writing 
a survey or tutorial on your own work or topic related to your area of interest, feel free to get in 
touch with me. 



At the last TACAS in Barcelona, already almost a year ago, Alur, Etessami, and Madhusudan 
[2004] introduced CaRet, a temporal logic framework for reasoning about programs with nested 
procedure calls and returns. The details of the logic were themselves interesting (I will return to 
them later), but a thought struck me during the presentation, whether an axiomatization might 
help understand the new temporal operators present in CaRet. Thinking a bit more about this 
question quickly led to further questions about the notion of finiteness and infinity in temporal logic 
as it is used in Computer Science. This examination of the properties of temporal logic operators 
under finite and infinite interpretations is the topic that I would like to discuss here. I will relate 
the discussion back to CaRet towards the end of the article, and derive a sound and complete 
axiomatization for an important fragment of the logic. 

Temporal logic is commonly used in Computer Science to reason about temporal properties 
of state sequences [Pnueli 1977; Gabbay, Pnueli, Shelah, and Stavi 1980]. Generally, these state 
sequences are the states that arise during the execution of a program. Temporal logic lets one write 
down properties such as "an acquired lock is eventually released" or "it is never the case that the 
value of such variable is zero" . These kinds of properties become even more important in concurrent 
programs, where properties such as "every process eventually executes its critical section", or "no 
two processes ever execute their critical section simultaneously" are, shall I say, critical. Many 
approaches have been developed for reasoning about programs using temporal logic. Most modern 
methods are based on model checking (see [Clarke, Grumberg, and Peled 1999], for instance), while 
other popular approaches are more proof-theoretic (see [Schneider 1997], for instance). 

In the vast majority of cases, temporal logic is interpreted over infinite state sequences. Those 
infinite sequences arise naturally, for example, when modeling reactive systems, which are systems 
that maintain a permanent interaction with their environment, and hence are assumed to never 

*© Riccardo Pucella, 2005. This version differs slightly from that published in SIGACT News 36(1); it corrects 
a number of typos in the semantics. Thanks to Claudia Zepeda for pointing them out. 
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terminate [Manna and Pnueli 1992]. Even when modeling systems that may terminate, it is often 
acceptable to assume that the final state of the system is simply infinitely repeated; this allows 
infinite state sequences to be used. Intuitively, this approach works as long as nothing of interest 
happens after the system has finished executing. What happens, however, when one wants to reason 
about explicitly finite state sequences? For instance, one may want to reason about a sequence 
of states embedded in a larger structure, where extending the sequence to an infinite sequence by 
repeating the final state is not necessarily a reasonable step to take. This is exactly what happens 
in CaRet, where some of the temporal operators are interpreted over the finite traces that make 
up procedure invocations, all in the context of a complete program execution. 1 

In order to characterize the properties of the CaRet operators, we need to understand the 
properties of temporal operators in the presence of finite sequences. Accordingly, my first goal is 
to make clear the properties of temporal operators when interpreted over (1) finite state sequences, 
(2) infinite state sequences, and (3) both finite and infinite state sequences. To do this, I present 
a particularly simple axiomatization of temporal logic that is sound and complete over the class 
of finite and infinite state sequences. As expected, a sound and complete axiomatization for the 
logic interpreted over finite state sequences only can be derived by simply adding an axiom that 
says "there are no infinite state sequences" , and a sound and complete axiomatization for the logic 
interpreted over infinite state sequences only can be derived by simply adding an axiom that says 
"all state sequences are infinite". Interestingly, there is a uniform elementary proof that covers 
all the cases. These results can be found in various forms in the literature, albeit often implicitly. 
The presentation I give is meant to emphasize the contribution of exclusively finite and exclusively 
infinite traces to the axiomatization of the temporal operators. The axiomatization will be used as 
the basis of the sound and complete axiomatization for a fragment of CaRet. 

Temporal Logic Over Infinite Sequences 

Let me first discuss finiteness and infinity in the context of the simpler framework of propositional 
linear temporal logic (LTL). The only temporal operators we consider are future time operators, 
meaning that at a given state one can only reason about the current and future states, and not 
past states. Furthermore, LTL embodies a linear notion of time: from any given state, there is a 
single sequence of states describing the future. 2 

The language LTL is defined inductively by the following grammar, where p ranges over primitive 
propositions taken from a set <&o : 

tp,ip ::= p \ ^ip \ ip Atp \ 0(p\ipUip- 

Let if V ip stand for ^(^(p A -it/}), and ip =4> tp stand for -192 V ip. Further, let Oip stand for trueU ip, 
and D<p stand for ^O -1 ^. Finally, define Q<p as the dual of O, namely, -> O —><p. The operator O is 
sometimes called "weak next" ; Cxp reads "if there is a next state, then <p holds there" , The operator 

1 Another context where this occurs is in process logics [Pratt 1979], which lets one reason about finite segments 
of program executions within a larger and potentially infinite execution. I hope to revisit this topic in an upcoming 
column. Saake and Lipeck [1988] and Havelund and Rosu [2001] give additional motivation for considering temporal 
reasoning over finite sequences. Other uses of temporal logic, for instance in descriptive complexity theory, often 
assume an interpretation restricted to finite words [Straubing 1994]. 

2 This is in contrast to logics interpreted over branching time, where a state can possibly have multiple futures, 
and formulas can involve quantification over futures. See Emerson and Halpern [1986] for details on the relationship 
between linear and branching time temporal logics. 
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is sometimes called "strong next"; Oip reads "there is a next state, and ip holds there". The 
formula ipUip reads u ip holds until ip is true", while Oip reads "<p will eventually be true" and nip 
reads u ip is and always will be true" . 

Temporal logic is interpreted over (linear) temporal structures. A temporal structure is a tuple 
M = (S, a, tt) where S is a set of states, a is a finite or infinite sequence of states in S, and tt is 
a valuation on the states, where 7r(s) is the set of primitive propositions true at state s. Let \a\ 
denote the length of a, understood to be oo if a is infinite. Infinity is assumed to behave in the 
standard way with respect to integers, for instance, i < oo for all integers i. A temporal structure 
M = (S, a, tt) is finite if a is finite, and infinite otherwise. (Thus, finiteness of a structure depends 
on the finiteness of the sequence, not that of the state space.) If a = sqS\S2 • • • , I will sometimes 
use the notation <jj to refer to state in a. 

Let M be the set of finite and infinite temporal structures. Let M m f be the class of infinite 
structures, and Mr n be the class of finite structures. Satisfiability of a formula can be defined in a 
number of equivalent ways. If M = (S, a, tt), where a = sqS\ . . ., possibly finite, define (M, i) \= ip, 
meaning that formula ip is true in structure M at position i G {0, . . . , |<r|}, inductively as follows: 

(M,i) \=pi£p€ TT(si) 

(M,i) \=^ip if (M,i) \£cp 

(M, i) \= ip A ip if (M, i) \= ip and (M, i) \= ip 

(M, i) \= Op if i = \a\ or (M, i + 1) \= p 

(M,i) |= ipUip if 3j e {i, . . . , |cr|} such that (M, j) |= ip and VA; G {i, . . . ,i - 1}, (M, fe) |= 

Observe that is defined in such a way that if the sequence is finite, is true for all formulas 
<p at the final state of the sequence. More drastically, Ofalse is true at a state if and only if it is 
the final state in the sequence. A formula ip is valid, written |= ip, if (M, i) \= ip for all structures 
M and positions i. 

The following axiomatization AX is well-known to be sound and complete for temporal logic, 3 
as interpreted over infinite structures [Gabbay, Pnueli, Shelah, and Stavi 1980; Fagin, Halpern, 
Moses, and Vardi 1995; Halpern, Meyden, and Vardi 2004]: 

Prop. All instances of propositional tautologies in LTL. 

MP. From p and ip =>- ip infer ip. 

Tl. Oip A 0(ip V) OV'- 
T2. pUip ^ipV (ip AO(ipUip))- 
T3. 0(^93) -i O V- 
RT1. From y> infer O^- 

RT2. From ip' =>• -.^ A O^' infer </?' ^(ipUip). 

3 Recall that an axiomatization is sound if every provable formula is valid, and complete if every valid formula is 
provable. 
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This axiomatization, by virtue of soundness and completeness, intrinsically characterizes infinite 
structures. In fact, it is not hard to see that the axiomatization is not sound for finite structures. 
More precisely, axioms T2 and T3 are not valid in finite structures. To see this, let p be a primitive 
proposition, and consider the structure M\ = ({s},s,n), that is, a finite structure with a single 
state s, a sequence consisting of that single state s, and where tt(s) = {p}. It is easy to verify that 

(M, 0) y= false V (p A 0{pU false)) pU false, 

which is an instance of T2, specifically, the <= implication of T2, and 

(M, 0) \/= O false => O true, 

which is an instance of T3. Thus, in order to derive an axiomatization that is sound and complete 
for a class structure including finite ones, axioms T2 and T3 must somehow be weakened. 

A General Axiomatization 

There is an axiomatization that is sound and complete for the class of finite and infinite structures. 
Let AX 9 ™ be the following axiomatization, obtained from AX by replacing axioms T2 and T3 by 
axioms T2' and T3': 

Prop. All instances of propositional tautologies in LTL. 

MP. From p and ip => tp infer ip. 

Tl. Op A 0(<p => ip) => Oip. 
T2'. pUip O ip V (ip A OfoUip)). 
T3'. Op 4^ (Ofalse V Q<p). 
RT1. From p infer Oip. 

RT2. From ip' =4> -\ip A Op' infer p' ^{ipUip). 

Axiom T3' captures the following intuition for Oip: either the next time step does not exist, or <p 
is true there. As I have already argued, the fact that the next time step does not exist is expressed 
by Ofalse. The following variants of Tl are provable in AX je ": Op A 0(ip => ip) Oip, and 
Op A 0(<p ip) => Oip. This axiomatization is a simplification of the axiomatization of the future 
fragment of the temporal logic of Lichtenstein, Pnueli, and Zuck [1985]. Roughly speaking, the 
inference rule RT2 subsumes their axioms relating O and □, using the fact that □ is expressible 
using U ■ 

The following two axioms can be used to tailor the axiomatization to the case where the struc- 
tures are infinite, and the case where the structures are finite. For infinite structures, an axiom is 
needed to capture the fact that there is no final state: 

Inf. -i O false. 

To obtain an axiomatization for finite structures, an axiom is needed to capture the fact that every 
finite structure has a final state: 
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Fin. O O false. 

Let AX™^ be the axiomatization AX ffen augmented with axiom Inf, and let AX^ n be the axioma- 
tization AX 9 ™ augmented with axiom Fin. These axiomatizations completely characterize validity 
in the appropriate class of structures. More precisely, the following result holds. 

Theorem 1 . For formulas in the language LTL, 

(a) AX gen is a sound and complete axiomatization with respect to M., 

(b) il" 1 ^ is a sound and complete axiomatization with respect to M m f , 

(c) AX^ n is a sound and complete axiomatization with respect to Ai^ n . 

The proof of this theorem is not difficult, and uses well- understood technology. The only 
difficulty, in some sense, is coming up with the proposed axiomatization. To illustrate where all the 
details are used, let me spell out the details of the proof. Soundness is straightforward to establish 
in all cases. Completeness is established by proving the following equivalent statement. Recall that 
a formula <p is ax-consistent, for an axiomatization ax, if —>ip is not provable using the axioms and 
inference rules of ax. Completeness is equivalent to the fact that consistency implies satisfiability. 
Thus, it suffices to show that if ip is consistent with respect to one of the particular axiomatization, 
then it is satisfiable in a structure in the corresponding class, that is, it is possible to construct an 
appropriate structure such that <p is true in a state of the structure. 

The construction is essentially independent of the axiomatization under consideration. Fix the 
formula ip. The states of the model will be constructed from an extension of the set of subformulas 
of ip. Let Cl'(ip) be the smallest set S such that: 

(a) <p G S, 

(b) trueU O false G S, 

(c) if G S then ij> G S, 

(d) if ipi A V2 G S then Y>i G S and ip 2 G S, 

(e) if Oip G S then ip G 5, 

(f) if O-np G S then Oip G S, 

(g) if ipiUfa G S then ip x G S, ip 2 S, and G>(V>iW^2) G S. 

Let Cl(ip) = CI' (ip) U {-up I ip G Cl'(ip)}. It is easy to check that for any tp, Cl(ip) is a finite set of 
formulas. Note that O false and -1 O false are always in Cl{p). 

Let ax range over AX sen , AX m ^, and AX^ n . An ax-atom of p is a maximally ax-consistent 
subset of formulas in Cl(ip). It is easy to see that ax-atoms are finite. Let At ax (ip) be the set of 
ax-atoms of <p; we use V, W, . . . to denote ax-atoms. Associate with every ax-atom V a formula V, 
the conjunction of all the formulas in V, that is, V = V^eV ^- ^ ^ s straightforward to check that 
for every formula ip G Cl{<p) and every ax-atom V of ip, either ip or -tip is in V. (If not, then V is 
not maximally ax-consistent.) Using axiom Prop, it is easy to show that any formula ip G Cl{(p) 
is provably equivalent to the disjunction \j ' {veAt ax \i>€V} V ■, an d true is provably equivalent to the 
disjunction \J Ve ^ t ax V. 
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For ax-atoms V and W, define V — ► W if V A QW is ax-consistent. Let V — > be the set 
{W | V W}. A c/tam of ax-atoms is a finite or infinite sequence Vo, V\, . . . of ax-atoms with 
the property that Vi V^+i, for all z. A chain Vo, Vi, ... of ax-atoms is acceptable if for all i, 
whenever ipiUfa £ Vi, then there exists j > i such that ^2 G Vj and Vi £ V$, . . . , V^-i. The 
following lemma isolates all the properties needed to prove the completeness results. 

Lemma 2. 

(a) For all Oip G Cl(ip) and ax-atoms V , Otp EV if and only if for all W E V-^>, ip E W 

(b) For all Qip G Cl(ip) and ax-atoms V , Qt/j EV if and only if there exists W E V-^> suc/i that 
tfj G W. 

(c) For a// ipiU?p2 G C7(<^>) and ax-atoms Vo, ipiUip2 £ Vb 2/ and on/y if there exists a finite 
chain Vo, V±, . . . , V& such that ipi G Vo, ■ ■ ■ , V^-i and -02 G V&. 

(d) For a// ax-atoms V , Ofalse EV if and only ifV—> = 0. 

(e) For all AX^ n -atoms Vq, there exists a finite chain Vo, ■ ■ ■ , Vk such that Ofalse G V&. 

(f) Every finite chain of AX gen -atoms is extensible to an acceptable chain (finite or infinite). 

(g) Every finite chain of AX 1 ^ -atoms is extensible to an infinite acceptable chain. 

(h) Every finite chain of A X^- atoms is extensible to a finite acceptable chain. 

Proof. The proof technique is adapted from that of Halpern, van der Meyden, and Vardi [2004]. 

(a) Assume that OY> G V, and let W G V — By way of contradiction, assume that i/j G" W. 
Then, ^ G W, that is, h W -^V- By Prop and RT1, h 0(V> -W). By assumption, G V - , 
that is, h £ =>- O^.JBy MP and Tl, h V" O^W?. But V IV means that I/A©V7 is consistent, 
so that \fV=> O-W, a contradiction. So ip G W. 

Conversely, assume that for all W G V—>, ip G W. By way of contradiction, assume that 
OV> ^ V, so that -1 O Y> G F, and thus h F =>- -1 O ^. For any W such that Y> W, it must be the 
case that W G" V-^», and thus V A ©W is inconsistent. Thus, V A QW is inconsistent for all W 
such that V W, and V^i^y^y ^ 0^)j is inconsistent, that is, V A Q-iip is inconsistent, and 

H V -1O-1V) orh7=^ Of/'- By assumption, h F 4> n o i/), so that /a/se, that is, I iV, 

which contradicts the fact that V is a consistent set of formulas. Thus, £ V", as desired. 

(b) Assume that QV> G V. If ©^ G V, then OV' £ V", and OV' € C7(</?) by closure rule (4). Hence, 
by part (a), all W G V-^» are such that ip G W. It suffices to show then there is a W such that 

V W. Assume not. Then V ' iw\trueeW}{V A OW) is inconsistent, and hence I <(V A Qtrue), 

and h V Ofalse. Because ©Y> G V", then h V =>- -> O /a/se. So h V /a/se, that is, I iV, 

contradicting V being consistent. So there must be a W G V-^+. 

Conversely, assume that there exists W G V—> and ip G W. Since V A is consistent, so is 
V {w\ipeW}{V A OW), and F A Oip. In other words, 1/ V A -i©^- Assume by way of contradiction 
that ©V' £ V, so that -■©V' G V. Then hK^> -■OV', a contradiction. Therefore, ©V> G V. 

(c) Assume that ipilA^ G Vb- Suppose by way of contradiction that no suitable chain exists. 
Let T be the smallest set S of ax-atoms of <p such that Vo G S, and if W G V — ► (for some V in 
5) and W A V'l, then If GS. If T is a set of ax-atoms, let T = \J WeT W. Clearly, -1^2 G for 
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all W in T, and thus, hT=> -| Y>2- Moreover, for every V in T and W £ V" — either If G T, or 
-■Vi G W and -.^2 G WA This yields h f ^> 0(f V (-.-01 A -^2))- It follows easily from Tl, T2', 
RT1, RT2 that h f n(^y^). In particular, h^^ -'(V'lW^), contradicting ipiUfa G Vb- 

Conversely, by induction on fe, if there exists Vi £ Vb-^», . . . , £ Vfc_i-^», Vi G for 
i € {0, . . . , fe — 1}, and ^2 £ 14, then i/iiUfa G Vb. If fc = 0, the result follows immediately by an 
application of T2' and T3'. For a general fc, assume by way of contradiction that ipiUfa G" Vb ( s ° 
that -iipiUi>2 G Vb), and consider the subchain Vi, . . . , V&, such that V2 £ Vi-^», . . . , 14 £ Vk-i~^, 
tpi £ Vi, . . . , Vfe_i, and ^2 G Vfc. By the induction hypothesis, ipiUtp2 £ Vi, that is, h Vi =4> W V2 • 
Since V\ £ Vb-^A, Vb A OVi consistent, and by an application of RT1 and a ©-variant of Tl, 
VoAQipiU 1P2 is consistent. Since ipi £ Vb, h Vb => ^>i, and thus VoAipiAQi/}iUip2 is also consistent. 
By T2', Vb AipiUip2 is consistent, that is, 1/ Vb ~^ipiUip2, contradicting the assumption that 
^ipiUip2 £ Vb- Thus, ip\Uip2 must be in Vb, as desired. 

(d) Assume that \- V ^ O false. By way of contradiction, assume there is a W £ F-^*. 
By Prop, h /a/se =4* ->W, and by RT1, h 0(false =4> -iW). By propositional reasoning and Tl, 

h F =>• O-'W, which is equivalent to h 4- -i©W, that is, I i(V A OW), contradicting the 

assumption that W £ V—*, that is, that F A 0lV is consistent. 

Conversely, assume that there is no W £ V-^». Therefore, for all W, V A OW is inconsistent, 
and thus, V\v(V A QW) is inconsistent. By propositional reasoning, V A O Vw W, and thus 
F A Qtrue, is inconsistent. By propositional reasoning and definition of O, this simply means that 
h V => O/ofae. 

(e) Let Vb be an AX^ n -atom. Suppose by way of contradiction that no suitable chain exists. 

Let T be the smallest set 5 of AX^-atoms of ip such that V £ S 1 , and if W £ V" — > (for 
some V in 5) then W £ S. Clearly, -> O /a/se £ W for all W in T (otherwise, it could be used 
to construct a finite chain assumed not to exist), and thus, h T -1 O /a/se. Moreover, for 

AX-'*™ -~ ^ 

every V in T and W £ V — ► , W £ T. Therefore, it is possible to derive h T OT, which 

implies that h T 0(T V (-.true A -1 O /a/se)). It follows easily from Tl, T2', RT1, RT2 that 

HT=> -^{trueU O false). In particular, h Vb =>■ ^{trueU O false), contradicting trueli O false £ Vb, 

by virtue of axiom Fin. 

(f) Let Vo,...,V n be a finite chain of AX 9en -atoms. Consider a formula ipiU^2 £ Vb- It 
follows, from T2' and parts (a) and (b), either that ip2 £ Vj for some j £ {0, . . . ,n} and ^1 £ V\ 
for / £ {0, ... ,j — 1}, or that ipi £ V} for all j £ {0, . . . , n}, and ipiW4>2 £ V^. In the latter case, 
by part (c), there exists a chain V n ,...,V n ' such that ipi G V& for A; £ {n, . . . , n' — 1} and ^2 £ V^/. 
This gives a finite extension of the original chain that satisfies the obligation of acceptability for 
1P1U1P2 at Vq. Applying this argument to the remaining Z,/ -formulas in Vq produces a finite chain 
that satisfies all the obligations at Vq. Apply the same procedure to V±, and so on. In the limit, 
this produces an acceptable chain extending the original chain. This chain can be either finite, or 
infinite. 

(g) Let Vq, . . . ,V n be a finite chain of AX m ^-atoms. Just as in part (f), it is possible to 
construct an acceptable chain extending this chain that satisfies all the obligations of the U- 
formulas. If this process results in a finite acceptable chain Vb, . . . , V n >, this chain can be extended 
to an infinite acceptable chain as follows. Given the final state V n > of the chain, there exists a state 

V n / + i £ V n i — > . Otherwise, by part (d), ^ AX m / Vn' O false. However, by Inf, l~ AX m / n O false, 
and thus by MP, l~ AX m/ ->V n i, contradicting the fact that V n > is AX m ^-consistent. Thus, there 



ACM SIGACT News 



7 



Vol. — No. - 



must exist V n / + i G V n i — > . Let V$,. . . , V n i + \ be the new chain formed in this way. This chain 
can be once again extended to an acceptable chain, by ensuring that all the obligations of the 
^/-formulas are satisfied. In the limit, this new procedure produces an infinite acceptable chain, 
(h) Let Vq, . . . ,V n be a finite chain of AX^"-atoms, Vo, . . . , By part (e), there exists a finite 

chain . . . , V n such that Q false G V n . By part (d), this means that there V n — ► = 0. It remains 
to show that the chain is acceptable, that is, for every ip\U^2 in Vo,...,V n , the obligations are 
met. Let ipiUip2 G Just as in part (f), it follows, from T2' and parts (a) and (b), either that 
ip2 G Vj for some i < j < n and tp\ G V\ for i < I < j, or that Vi £ for all z < j < n, and both 
->ip2 £ and ipiUtp2 G V^. In the former case, the obligations for ipiUfa are met. The latter case 
cannot arise. Indeed, if ipiW<p2 G V n , then h V n => Vi W ^2 , so that h 14, ^2 V (^1 A 0(^1 W V^))- 
Since -1V2 G V n , h V n ^> —1^2, so that h 14 => A O^iU ^2) ■ Therefore, OtyiUfa) must be in 
V^. By part (b), there must exist W &V n — ► with ipilffa G M 7 , which contradicts that fact that 

V n ^ =0. □ 

The completeness results of Theorem 1 follow easily from Lemma 2. Consider the axiomatization 
AX 9en . Assume that if is AX 9e "-consistent. Since ip G Cl(<p), <p G V v for some AX 5e "-atom 
of Lp. Construct the structure M = (S, a, ir) by taking the set of states S to be the set At A ^~ 9 (cp) 
of AX 5e "-atoms of ip. Define the interpretation ir by tt(V) = {p \ p G V}. All that remains now 
is to extract a sequence a in S that satisfies ip. By Lemma 2(f), V^, a one-element finite chain of 
AX sen -atoms, is extensible to an acceptable chain a = VqVi .... It is easy to check, by induction 
on the structure of tp, that (M, i) \= p if and only if p> G Vj. Since </? G V v = Vo, then (M, 0) \= p. A 
similar argument holds for AX™^ and AX-^ n , invoking Lemma 2(g) and Lemma 2(h), respectively, 
to construct an acceptable chain a. 



The Linear Temporal Logic of Calls and Returns 

While the above discussion is still fresh, let me now talk about the CaRet logic. CaRet was 
designed for reasoning about programs, in the form of state sequences, each sequence corresponding 
to an execution of the program. It was especially designed for reasoning about nonregular properties 
of programs. The classical example of such a property is the correctness of procedures with respect 
to pre and post conditions, that is, verifying that if p holds before every call to a procedure, 
then ip holds after the procedure returns. The nonregularity of this property is due to the fact 
that finding the state where the procedure returns requires matching the number of calls and 
returns within the body of the procedure. CaRet provides operators for doing just that. While 
frameworks for verifying procedure with respect to pre and post conditions go back to the seminal 
work of Hoare [1969], the main contribution of CaRet is a decidable model-checking procedure for 
programs expressed as recursive state machines (equivalently, pushdown systems) [Alur, Etessami, 
and Yannakakis 2001; Benedikt, Godefroid, and Reps 2001]. To achieve this, CaRet assumes that 
every state is tagged, indicating whether it is a call state (meaning it is a state that performs a 
procedure call), a return state (meaning it is a state that corresponds to having returned from a 
procedure), or an internal state (everything else). I will not discuss the model-checking algorithm 
here, but instead examine the properties of the new operators that CaRet introduces. 

The language CaRet of linear propositional temporal logic with calls and returns is defined 
inductively by the following grammar, where p ranges over primitive propositions taken from a set 
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<&o, which includes call,ret, and int: 4 



ip,ip ::=p | | ip Atp \ Op\ pUip \ O a p | pU a ip- 

As before, define the usual abbreviations. Let p V ip stand for -, ( _, </ 7 A ^ip), and <p =>- ip stand for 
-up V tp. Define, as in LTL, Op to stand for trueU p, D<p to stand for -i<> _i V, and ©v? to stand for 
-i O - | V 9 - Define O a p, U a p, and O a v? in a similar way. 

The O and hi operators, the global-time operators, are the standard operators from LTL, 
interpreted over whole sequences of states. 5 Thus, Op means that (p holds at the next state 
whether or not the next state is a state in an invoked procedure, or the next state follows from 
returning from a procedure. The O a and U a operators, the abstract-time operators, do not consider 
all states in the sequence, but only the states in the current procedure context. Thus, O a (p means 
that p holds at the abstract next state of the procedure — if the current state is a procedure call, 
then the abstract next state is in fact the matching return state; if the current state is the last 
state of a procedure invocation, there is no abstract next state; similarly, if the current state is a 
procedure call that never returns (say, it enters an infinite loop), there is no abstract next state. 
Correspondingly, pU a ip means that the abstract path from the current state (i.e., the path formed 
by successive abstract successors) satisfies p>Uip- 

To formalize these intuitions, CaRet is interpreted over structured (linear) temporal structures. 
An structured temporal structure is a tuple M = (S, a, tt) where S is a set of states, a is an infinite 
sequence of structured states in S x {call, ret, int}, and tt is a valuation on the states, where tt(s) 
is the set of primitive propositions true at state s. For a sequence a, define an abstract successor 
function succ a a giving, for every index i into a, the index of the next abstract state for o; L . Formally, 
the abstract successor is defined as follows. First, for a sequence of structured states a, define the 
partial map R a {i), which maps any i to the first unmatched return after i, that is, the first return 
that does not correspond to a procedure call performed after i: R a (i) = j, where j is the smallest 
j' such that j' > i, ay is a return state, and the number of calls and returns in <7j+i, . . . , oy-i 
are equal; R a {i) = _L if there is no such f. (Intuitively, _L represents the value "undefined".) The 
abstract successor functions can now be defined: 

R a (i) if o~i = (— , call) 
succ a a (i) = < _L if <7j ^ (-, call) and a i+ i = (-, ret) 
J + l otherwise. 

Let M. cr be the set of structured temporal structures. Satisfiability of a formula is defined as 
follows. If M = (S, a, tt), where a = ((sq, to), (si, ti), . . .}, define (M, i) \= p, meaning that formula 
(p is true in structure M at position i > inductively as follows: 

(M, i) \= p if p G 7r(sj) or p = t i 

(M,i) 1=-.^ if (M,i) y=<p 

(M,i) \= p A tp if (M, i) \= p and (M, i) \= ip 

4 In fact, this is just a fragment of CaRet. The full logic includes past-time temporal operators that walk back 
the call chain of a procedure. I believe that the development in this section extends in a straightforward way to the 
full language, but I have not checked the details. 

5 Alur, Etessami, and Madhusudan use Q 3 ip and tpU 9 ^ f° r the global-time operators. 
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(M,i) ^Op if (M,i + 1) ^ 

(M, i) |= V if 3j > i such that (M,j) \= tp and Vfc G {i, . . . , j — 1}, (M, fc) |= 99 
(M, i) |= O a ip if succ^(i) = _L or (M, succ£(i)) |= ip 

(M,i) \= <pU a tp if 3«o,«i, ■ • ■ ,*fc (with io = *) such that succ%(ij) = ij+i 7^ X (for j = 
0,...,fe-l), (M,i fc ) |= V, and (M,ij) ^ (for j = 0, . . . , fc - 1). ' 

(The semantics above uses a "weak" semantics for O a p, while the original description of CaRet 
uses a "strong" semantics. In other words, the interpretation of O a p in the original CaRet is the 
same as that of Q a ip here. I made this choice for consistency with the usual reading of O as a weak 
next and to reuse the development of last section. Clearly, there is no loss of expressiveness from 
this change.) 

What about an axiomatization for this logic? The following axioms account for the fact that 
the O/U fragment of CaRet is essentially LTL interpreted over infinite sequences. 

Prop. All instances of propositional tautologies in CaRet. 

MP. From ip and ip => tp infer tp. 

Gl. Op A 0(ip => ip) =>- Oip. 

G2. pUtp & ^P V (p A Q(pUtp)). 

G3. Op (O false V Oip). 

G4. -1 O false. 

RG1. From p infer Oip. 

RG2. From p' =4> -*ip A 0<p' infer ip' => -^(ipUtp). 

The operators O a and U a behave like the standard temporal operators, except they are inter- 
preted over possibly finite sequences. 

Al. O a <p A O a (<p =>■ tp) => O a tp. 

A2. p>U a tp <^ tp V (<p A O a (<pU a tp)). 

A3. O a ip 4$ (O a false V Q a p). 

RA1. From p infer O a ip. 

RA2. From (// =4> -1^ A OV infer ip f => ^(pU a tp). 

The remaining axioms capture the relationship between the kind of states (call states, return 
states, internal states), and the behavior of the various next-time operators. Roughly, this amounts 
to capturing the properties of the succ a a function, when it is defined, and when it is not. The 
following axiom says that there is exactly one of call, ret, int that holds at any state. 

CI. (call A ->ret A -tint) V (->call A ret A ->int) V (-*call A ->ret A int). 
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If the current state is not a call state, then the properties of the abstract next state operator depend 
on whether the next global state is a return state. 

C2. ->call A 0{^ret) =>■ (Of <=> O a ip). 

C3. ^call A O(ret) O a false. 

C4. Q a ip Oip. 

Already, it is possible to derive from these axioms that if a state is not a call state and there is 
no abstract next state, then the global next state must be a return state; in other words, the only 
case where there is no abstract next state (unless a procedure call is performed) is at the end of a 
procedure invocation. Here is a formal derivation of ^call A Q a false =^ Oret: 



1. 

2. 

3. 

4. 

5. 

6. 

7. 

8. 

9. 

10. 

11. 

12. 

13. 

14. 



call A O^ret (Otrue ^ -> O a false) 
call (O-iret => (Otrue -> O a false)) 



h 
h 

h (O^ret 
I — ^call = 
h Otrue - 
h Otrue 
I — 'call = 



=4> (Otrue 
(Otrue =5 
> (-icall =5 

(O a false 



=> -i O a false)) (Otrue 
(O a false -i O -ire*)) 
(O a false =>- -i O -ire*)) 



(O a false =>- -> O -ine*)) 



-. O -re*) 
h -icaZ/ A O a false -> O ^re* 
h Ore* <4> (Ofalse V -> O -re*) 
h (Ore* <^ (Ofalse V -> O -re*)) => (-> Ofalse 
h -i O /a/se (-> O -re* =>• Ore*) 
I — i O /afee 
I — i O -re* =4> Ore* 
h -ica// A O a false => Oret 



(-i O -re* =>- Ore*)) 



(C2) 

(1, Taut, MP) 

(Taut) 

(2, 3, MP) 

(4, Taut, MP) 

(Taut,RGl) 

(5, 6, MP) 

(7, Taut, MP) 

(G3) 

(Taut) 

(10, MP) 

(G4) 

(11, 12, MP) 
(8, 13, MP). 



If the current position is a call, then the abstract successor exists or not, depending on whether 
or not there is a balanced number of calls and returns before the return matching the call. This 
turns out to be painful to capture. Intuitively, the logic cannot count — there is no way to say 
(directly) that "there are exactly the same number of call states as there are return states before 
the matching return". The best one can do is basically enumerate all possibilities. Define the class 
of formulas CRj nn ((p), one for every c,m,n > such that c + m > n. Intuitively, CR c mn (f) says 
that between the current state and the first state where ip holds, there are exactly m call states 
and n return states, and moreover there are never more then c return states more than the number 
of call states. 



CR c m . 



„(¥>) 



intUf 

intU(call AOCR c +\ n 
intU(retNOCR c ~l_ x 
intUicall AOCR c +\ n 
intU (call A oCR c +\ n ((p)) 
VtntU (ret AO CR'-i^)) 



if m = 0, n = 

if m > 0, n = 

if m = 0, n > 

if m > 0,n > 0, c = 

if m > 0,n > 0, c> 0. 
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With this, it is possible to define a countable number of axioms that essentially say that if the 
current state is a call state, and the number of calls and returns following the current state match 
before there is a return where p holds, then there is an abstract next state and <p holds there. 

C5. call A OCR° nn (ret Ap)^ Q a p (for n > 0). 

Of course, C5 is a family of axioms, one for each n > 0. 

Similarly, if the number of calls exceeds the number of returns after a call state, then there 
cannot be an abstract next state. 

C6. call A OCR m>n (a^ret) O a false (for m > n > 0). 

Again, C6 is a family of axioms, one for each m > n > 0. 

Theorem 3. AX cr is a sound and complete axiomatization for CaRet with respect to structured 
temporal structures. 

Soundness is straightforward. The strategy for proving completeness is, unsurprisingly, analo- 
gous to that of the proof of Theorem 3: assuming tp is consistent, completeness requires showing 
that ip is satisfiable; to construct a model of tp, take an atom of ip containing tp, and extend it to 
an acceptable infinite sequence of atoms. I leave it to the reader to generalize Cl'(p) and Cl(ip) in 
the right way, by adding clauses for O a and U a mimicking those for O and U • Atoms of ip have 
the same definition, maximally consistent subsets of formulas in Cl(ip), as does the formula V for 
any given atom V. (For atoms, as for the other notions, there is no need for an axiomatization 
qualification, as there is a single axiomatization to consider.) The relation V — ► W between atom 
is again defined to hold if V A QW is consistent. A chain of atoms is a finite or infinite sequence 
Vb, Vi, . . . of atoms with the property that Vi — ► V^+i, for all i. It remains to show how to extend 
a finite chain of atoms into a suitably defined acceptable chain. This is where things vary from the 
proof of Theorem 1, to account for the structured states. 

First, given a (possibly finite) chain V = Vq, V±, Vi, ■ ■ ■ , define Ry and succy just as they are 
defined for sequences of states, but instead of checking that an element at index i is a call state 
(resp., a return state or an internal state) by checking that it is of the form (— , call) (resp., (— , ret) 
or (—,int)), do so by checking that call G Vi (resp., ret e Vi or int G Vi). This is well defined, 
thanks to axiom CI. 

An infinite chain V = Vo, V±, . . . of atoms is acceptable if for all i, 

• whenever ipiW4>2 G Vi, then there exists i < j < \a\ such that 1^2 G Vj and ip± G Vi, . . . , Vj-\\ 

• whenever O a if; G Vi , then ip G V succ2 _^ ; 

• whenever ipiU a ip2 G Vi, then there exists io,h, ■ ■ ■ ,ik (with i = i) such that succy(ij) = 
ij+i ^ _L (for j = 0, . . . , k - 1), ip 2 G V ik , and ipi G V {j (for j = 0, . . . , k - 1). 

The following lemma isolates the properties needed to finish the proof of completeness. 

Lemma 4. 

(a) For all Qip G Cl(p) and atoms V, Qip eV if and only if for all W G V — ip eW 
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(b) For all Qtp G Cl(<p) and atoms V , Qip G V if and only if there exists W G V — > such that 
tp G W. 

(c) For all 1P1U1P2 G Cl(ip) and atoms Vo, ipiUtp2 G Vo i/ and on/?/ i/ there exists a finite chain 
Vo,Vi, . . . ,Vk such that ipi G Vo, . . . , V^-i and ip2 G 

(d) For a// O a V' G Cl((p) and atoms V), O a ip £ Vo if and only if for all finite chains V of atoms 
Vb, V*i, . . . , Vfc such that succy(0) = k, ip G 

(e) For all i\)\U°"i\)2 G Cl(<p) and atoms Vo, 1P1U1P2 G Vo if and only if there exists a finite 
chain V of atoms Vq, V±, . . . , and indices io,...,ij < k such that sucCy{i{) = ii + \ (for 
I = 0, . . . , j - I), succ v (ij) = k, fa G V k) , Vij and ip 2 G V k . 

(f) Every finite chain of atoms is extensible to an acceptable chain. 

I leave the proof as an exercise; it follows the structure of the proof of Lemma 2 quite closely, 
despite requiring a slightly more involved argument for parts (d) and (e), as one would expect. 

So there we are: a sound and complete axiomatization for (an important fragment of) CaRet. 
We get the usual benefits from it, namely, the possibility of reasoning purely deductively about 
structured temporal structures, and this gives an alternative to model-checking for proving prop- 
erties of programs. I do not know, at this point, whether the decision problem for the logic is 
decidable, and so reasoning deductively may not be feasible. One problem with the axiomatization 
AX cr is that it is not very nice. In fact, axioms C5 and C6 are downright ugly. I believe this 
is difficult to avoid. Since CaRet does not have operators for counting, the axioms must keep 
count the hard way — listing all possibilities — to match returns to calls. It may still be possible, 
however, to develop alternate axiomatizations more suited to using CaRet as a program logic. 
That remains to be seen. 
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